feat: add EgressManager — per-service egress enforcement via host iptables

Routes outbound traffic from installed service containers through
alternate exits (wireguard_ext, openvpn, tor) using host-side
iptables fwmark policy-routing in a dedicated PIC_EGRESS chain.
Marks 0x110/0x120/0x130 are distinct from ConnectivityManager's
0x10/0x20/0x30. Container IPs discovered at runtime via docker
inspect. Wired into ServiceStoreManager install/remove lifecycle
and managers.py singleton. 22 new tests.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/managers.py

@@ -95,6 +95,15 @@ service_store_manager = ServiceStoreManager(
     service_composer=service_composer,
 )
 
+from egress_manager import EgressManager
+egress_manager = EgressManager(
+    config_manager=config_manager,
+    service_store_manager=service_store_manager,
+    data_dir=DATA_DIR,
+    config_dir=CONFIG_DIR,
+)
+service_store_manager.egress_manager = egress_manager
+
 setup_manager = SetupManager(config_manager=config_manager, auth_manager=auth_manager)
 
 # Service logger configuration
@@ -132,6 +141,7 @@ __all__ = [
     'cell_link_manager', 'auth_manager', 'setup_manager', 'caddy_manager',
     'ddns_manager', 'service_store_manager', 'connectivity_manager',
     'service_registry', 'service_composer', 'account_manager',
+    'egress_manager',
     'firewall_manager', 'EventType',
     'DATA_DIR', 'CONFIG_DIR',
 ]